diff --git a/bp/cart/global_routes.py b/bp/cart/global_routes.py
index a05fe46..684f663 100644
--- a/bp/cart/global_routes.py
+++ b/bp/cart/global_routes.py
@@ -31,6 +31,7 @@ from .services.checkout import (
     get_order_with_details,
 )
 from shared.browser.app.payments.sumup import create_checkout as sumup_create_checkout
+from shared.browser.app.csrf import csrf_exempt
 
 
 def register(url_prefix: str) -> Blueprint:
@@ -205,6 +206,7 @@ def register(url_prefix: str) -> Blueprint:
 
         return redirect(hosted_url)
 
+    @csrf_exempt
     @bp.post("/checkout/webhook/<int:order_id>/")
     async def checkout_webhook(order_id: int):
         """Webhook endpoint for SumUp CHECKOUT_STATUS_CHANGED events."""